_blank Burp Plugin

 Posted on July 24, 2021  |  CptWin

This is a follow up post to the _blank Links write up I did recently.

Burp Suite is a tool I use daily for pentesting, one of it’s important functions is the ability to extend the tool itself with plugins. Given my history of writing tons of Java (ಠ_ಠ) I figured I should take a look at extending the tool I use everyday.

You can technically write Burp Suite plugins in Python or Ruby. My Ruby skills aren’t amazing, and neither Python or Ruby are highly recommended by Port Swigger.

"Note: Because of the way in which Jython and JRuby dynamically generate Java classes, you may encounter memory problems if you load several different Python/Ruby extensions, or if you unload and reload a Python/Ruby extension multiple times."

The UnderscoreBlank plugin can be found on my GitHub:

https://github.com/cptwin/_blank-Burp-Plugin

Feel free to use it in any way shape or form, or not. I would highly recommend anyone developing Java use the Jetbrains IntelliJ IDEA. The Community edition is perfectly good for most development I’ve come across.

I won’t dive too far into getting a Hello World example up as Port Swigger has great documentation on how to get started writing Burp Suite plugins already written. https://portswigger.net/burp/extender/writing-your-first-burp-suite-extension

The UnderscoreBlank plugin is simple, it gets loaded by Burp Suite, and when a response comes in it fires the doPassiveScan method.

@Override
public List<IScanIssue> doPassiveScan(IHttpRequestResponse baseRequestResponse) {
    return checkForVuln(baseRequestResponse);
}

Which returns the result of the checkForVuln method. The checkForVuln method simply compiles two matcher objects (yes, there is room for performance and code tidiness here) that check for target=_blank and rel=opener in any responses that come through.

public List<IScanIssue> checkForVuln(IHttpRequestResponse baseRequestResponse) {
    String response = helpers.bytesToString(baseRequestResponse.getResponse());
    Pattern patternUnderscoreBlank = Pattern.compile(".*target=\"_blank\".*", Pattern.DOTALL);
    Matcher matcherUnderscoreBlank = patternUnderscoreBlank.matcher(response);
    Pattern patternRelOpener = Pattern.compile(".*rel=\"opener\".*", Pattern.DOTALL);
    Matcher matcherRelOpener = patternRelOpener.matcher(response);
    //Check match for html pages only
    if (matcherUnderscoreBlank.matches() && matcherRelOpener.matches()) {
        List<IScanIssue> issues = new ArrayList<>(1);
        issues.add(new UnderscoreBlankIssue(baseRequestResponse));
        return issues;
    }
    return null;
}

Additionally (although somewhat redundantly) when an active scan is performed the same functionality will be called. However, this will fire through the aptly named doActiveScan.

@Override
public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) {
    return checkForVuln(baseRequestResponse);
}

If you point your Burp Suite against: https://cptwin.github.io/pocs/underscoreblank1.html with either a Passive or Active scan, you will see this finding pop up in the interface.

This information is controlled from the UnderscoreBlankIssue class and presented to the user. If I were to build a plugin with multiple issues I would probably create this in its own file to make it easier to find and use. The issue details could do with updating as well.

Hopefully this helps someone kickstart a project they were thinking about starting. Let me know if you end up making a Burp Suite plugin (even if it isn’t using my starter project).